1:1 Trunk to AD FS 2.0 Farm

In recent posts, I’ve been flicking between two configuration states on two different trunks:

Federated Trunk A

Non-Federated Trunk B

I’ve been using two ADFS instances in the back-end, testing various combinations using the mythical sts.mydomain.com and sts1.mydomain.com endpoints.

There is one limitation that becomes very clear during testing:

an AD FS instance may be used by a single trunk only

AD FS instances cannot be shared across trunks. What !@#!.. that’s crazy!! Well, not really.. When you consider that UAG is proxying federation services endpoints, this does make a lot of sense. We cannot arbitrarily share instances of our federation service across different trunks, because that goes against the very nature of a federated trust. It can be represented in one and only one place. When we try and share the same service across multiple trunks, UAG chucks out the following message:

The AD FS authentication server ‘AD FS 2.0 …" is used in more than one trunk: TrunkA, TrunkB. Configure the UAG to use the AD FS 2.0 authentication server in one trunk only.